From tmseck@netcologne.de  Sat Jan 29 20:05:18 2005
Return-Path: <tmseck@netcologne.de>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3501116A4D3
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 29 Jan 2005 20:05:18 +0000 (GMT)
Received: from smtp1.netcologne.de (smtp1.netcologne.de [194.8.194.112])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A513F43D45
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 29 Jan 2005 20:05:15 +0000 (GMT)
	(envelope-from tmseck@netcologne.de)
Received: from laurel.tmseck.homedns.org (xdsl-213-196-220-78.netcologne.de [213.196.220.78])
	by smtp1.netcologne.de (Postfix) with SMTP id 73C0838D8F
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 29 Jan 2005 21:05:12 +0100 (MET)
Received: (qmail 29414 invoked by uid 1001); 29 Jan 2005 20:05:32 -0000
Message-Id: <20050129200531.29413.qmail@laurel.tmseck.homedns.org>
Date: 29 Jan 2005 20:05:31 -0000
From: Thomas-Martin Seck <tmseck@netcologne.de>
Reply-To: Thomas-Martin Seck <tmseck@netcologne.de>
To: FreeBSD-gnats-submit@freebsd.org
Cc: security-team@laurel.tmseck.homedns.org
Subject: [Maintainer/security] www/squid: fix buffer overflow in WCCP
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         76827
>Category:       ports
>Synopsis:       [Maintainer/security] www/squid: fix buffer overflow in WCCP
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    sem
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 29 20:10:19 GMT 2005
>Closed-Date:    Sat Jan 29 21:50:43 GMT 2005
>Last-Modified:  Sat Jan 29 21:50:43 GMT 2005
>Originator:     Thomas-Martin Seck
>Release:        FreeBSD 4.11-STABLE i386
>Organization:
a private site in Germany
>Environment:
FreeBSD ports collection as of Jan 29, 2005.

	
>Description:
Integrate a vendor patch against a buffer overflow in the WCCP handling,
see <http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-wccp_buffer_overflow>
and <http://www.squid-cache.org/Advisories/SQUID-2005_3.txt>.

Security Team CC'ed, proposed VuXML data, entry date left to be filled in:

  <vuln vid="23fb5a04-722b-11d9-9e1e-c296ac722cb3">
    <topic>squid -- buffer overflow in WCCP recvfrom() call</topic>
    <affects>
      <package>
	<name>squid</name>
	<range><lt>2.5.7_10</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>According to the Squid Proxy Cache Security Update Advisory SQUID-2005:3,</p>
	<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2005_3.txt">
	  <p>The WCCP recvfrom() call accepts more data than will fit in
	    the allocated buffer.  An attacker may send a larger-than-normal
	    WCCP message to Squid and overflow this buffer.</p>
	  <p>Severity:</p>
	  <p>The bug is important because it allows remote attackers to crash
	    Squid, causing a disription in service.  However, the bug is
	    exploitable only if you have configured Squid to send WCCP messages
	    to, and expect WCCP replies from, a router.</p>
	  <p>Sites that do not use WCCP are not vulnerable.</p>
	</blockquote>
	<p>Note that while the default configuration of the FreeBSD squid port
	  enables WCCP support in general, the default configuration
	  supplied does not actually configure squid to send and receive WCCP
	  messages.</p>
      </body>
    </description>
    <references>
        <url>http://www.squid-cache.org/Advisories/SQUID-2005_3.txt</url>
	<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-wccp_buffer_overflow</url>
	<url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1217</url>
    </references>
    <dates>
      <discovery>2005-01-28</discovery>
      <entry></entry>
    </dates>
  </vuln>
	
>How-To-Repeat:
	
>Fix:
Apply this patch:

Index: distinfo
===================================================================
--- distinfo	(.../www/squid)	(revision 371)
+++ distinfo	(.../local/squid)	(revision 371)
@@ -44,3 +44,5 @@
 SIZE (squid2.5/squid-2.5.STABLE7-short_icons_urls.patch) = 704
 MD5 (squid2.5/squid-2.5.STABLE7-response_splitting.patch) = ff3d8ae3e933817c91e745beba76b5fc
 SIZE (squid2.5/squid-2.5.STABLE7-response_splitting.patch) = 9782
+MD5 (squid2.5/squid-2.5.STABLE7-wccp_buffer_overflow.patch) = 01b1a4a23f170723d7e2bc3846e12c73
+SIZE (squid2.5/squid-2.5.STABLE7-wccp_buffer_overflow.patch) = 505
Index: Makefile
===================================================================
--- Makefile	(.../www/squid)	(revision 371)
+++ Makefile	(.../local/squid)	(revision 371)
@@ -74,7 +74,7 @@
 
 PORTNAME=	squid
 PORTVERSION=	2.5.7
-PORTREVISION=	9
+PORTREVISION=	10
 CATEGORIES=	www
 MASTER_SITES=	\
 		ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
@@ -108,7 +108,8 @@
 		squid-2.5.STABLE7-httpd_accel_no_pmtu_disc.patch \
 		squid-2.5.STABLE7-ftp_datachannel.patch \
 		squid-2.5.STABLE7-short_icons_urls.patch \
-		squid-2.5.STABLE7-response_splitting.patch
+		squid-2.5.STABLE7-response_splitting.patch \
+		squid-2.5.STABLE7-wccp_buffer_overflow.patch
 PATCH_DIST_STRIP=	-p1
 
 MAINTAINER=	tmseck@netcologne.de
	


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->sem 
Responsible-Changed-By: sem 
Responsible-Changed-When: Sat Jan 29 21:40:10 GMT 2005 
Responsible-Changed-Why:  
Lock 

http://www.freebsd.org/cgi/query-pr.cgi?pr=76827 
State-Changed-From-To: open->closed 
State-Changed-By: sem 
State-Changed-When: Sat Jan 29 21:49:49 GMT 2005 
State-Changed-Why:  
Nice work. 
Commited, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=76827 
>Unformatted:
